IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [owasp-top-ten]

For questions about the top ten list itself, such as categorization or inclusion criteria. Do not use just because the vulnerability you are asking about is on the list.

42 questions
38
votes
5 answers

Is it really Security Misconfiguration to show a version number?

Our web application uses a HTML file with jQuery embedded inside. According to the jQuery license (https://jquery.org/license/), we have to leave the license header intact, including the version number. Our client reported exposure of the product…
stormtrooper
  • 481
  • 1
  • 4
  • 4
14
votes
2 answers

Is the injection in a NoSQL database architecture also called SQL injection?

Is the injection in a NoSQL database architecture also called SQL injection and is it still part of the OWASP 2013 Top 10, category A1 Injection? For example, an injection in code that communicates with the following database architectures: Hadoop…
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
11
votes
3 answers

OWASP Top 10 style security guide for implementation in hardware devices

I've seen OWASP Top 10 guides for web apps, native apps, etc., but never anything for embedded systems or hardware devices. These usually involve microcontrollers (e.g. Atmega / PIC) or small microprocessors which execute code and accept input from…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
9
votes
5 answers

How do small businesses handle web app security?

Everything on Owasp's top 10 list, how do current small businesses (< 1000 employees) handle web application security, along with mobile security of their applications? Do they care about info/app security? Do businesses of this size pay for static…
CodeTalk
  • 193
  • 3
9
votes
4 answers

Why OWASP Top 10 (web application) hasn't changed since 2013 but Mobile Top 10 is as recent as 2016?

Latest edition of OWASP Top 10 for web application was in 2013 and for mobile applications, it is 2016. Why is it so? Can we say that the pattern in the web application vulnerabilities is settled? Will same thing happen to mobile based applications?
one
  • 1,781
  • 3
  • 18
  • 45
7
votes
2 answers

Presentation on Web App Security (ACM Student Chapter)

I am a member of the local ACM student chapter in my university and as part of our activities I am scheduled to give a talk on current issues on Web Application Security (and possibly secure coding measures). The talk will be presented at the…
Ion
  • 646
  • 5
  • 11
6
votes
3 answers

What indicators did OWASP use to end up with OWASP Top 10?

I was asked by a student how OWASP Top 10 are ranked, based on which indicators: is it severity? ease of exploit? ease of implementing their countermeasures? ... Knowing that each of these vulnerabilities is either severe or not based on the mise…
Phoenician-Eagle
  • 2,167
  • 16
  • 21
5
votes
1 answer

Malicious NPM Package - Does it fit into OWASP Top Ten 2017?

On various security forums I have seen links to a post about a fictive malicious NPM package harvesting information. The posts title: I’m harvesting credit card numbers and passwords from your site. Here’s how. The best quote in the post in my…
Ogglas
  • 677
  • 4
  • 12
  • 26
5
votes
0 answers

How to encrypt cookies in Xamarin?

I have a Xamarin application which creates a few files in /data/data/my.app.com/app_webview after using it. The problem is that the cookies file is a file which contains session cookies. According to the OWASP top 10 Mobile, this is not…
VC_work
  • 481
  • 4
  • 7
5
votes
3 answers

OWASP Top 10? How about OWASP Top 1000?

Many people are aware of the "OWASP Top 10". I'm wondering if OWASP (or any similar authority) has gone above and beyond just the top 10 most commons attacks and made a larger list (e.g. the "OWASP Top 1,000", etc.). I'm fleshing out the…
zharvey
  • 911
  • 3
  • 10
  • 14
4
votes
1 answer

Exploitation of client_id in OAuth

We have a web app where the back end is composed of APIs. We use OAuth to authorize the web app's call to the APIs. We all know that in OAuth, there is always the Authorization endpoint used to get the Authorization code, which in turn is used to…
user233194
  • 41
  • 1
3
votes
7 answers

Are URL shorteners "vulnerable" due to open redirects?

The OWASP state that open redirect is a vulnerability: An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to…
Pacerier
  • 3,253
  • 6
  • 34
  • 61
3
votes
2 answers

What vulnerabilities in the OWASP Top 10 are relevant to WordPress?

I have been looking at the OWASP Top 10, and am wondering which of the top 10 security risks are relevant to a WordPress installation with various plugins installed? I know injections and XSS are relevant for sure, but what about the…
novicePrgrmr
  • 197
  • 1
  • 5
3
votes
1 answer

Why OWASP considers TouchID as insecure?

As could be reviewed in 1 under Am I Vulnerable... section, OWASP page states that If the mobile app uses a feature like TouchID, it suffers from insecure authentication. The reasons for this are not obvious though. Why is this considered…
cngkaygusuz
  • 133
  • 3
3
votes
3 answers

Checking if a web application uses known vulnerable components

I've been doing research on the OWASP top 10 web application vulnerabilties, one of them is using components with know vulnerabilities. I'm a little confused here, as I don't understand how you could possibly check a web application for this. My…
Gyzo
  • 43
  • 6
1
2 3